Track Common Adversary Tasks Performed Using Mimikatz

 








To know more about it, you can go through my detailed document by clicking here





Mimikatz

Mimikatz is a credential dumper that can obtain plaintext Windows account logins, passwords, and other features which also helps the users to view as well as save authentication credentials like Kerberos tickets. It was created by Benjamin Delpy in order to prove Microsoft that their authentication protocols are vulnerable to attacks. This toolset is still works with the Windows to include the latest attacks techniques. 

However, attackers also use Mimikatz to steal credentials and escalate privileges; although most of the attacks are detected by antivirus systems as well as endpoint protection software and deleted. Researchers commonly use Mimikatz to test the level of security of the networks. 

Common Features of Mimikatz

Mimikatz can demonstrate the following techniques:

  • Pass-the-Hash- Attackers use this technique to steal the hash string for a computer login which enables them to hack a system without even cracking a password.

  • Pass-the-Ticket- It's almost as same as pass-the-hash, but here, Mimikatz allows a user to pass the kerberos ticket to another computer in order to login with that user's ticket.

  • Over-Pass the Hash (Pass the Key)- This technique can provide a unique key that can impersonate a user from a domain controller.

  • Kerberos Golden Ticket- It's a type of pass-the-ticket attack which offers you non-expirable domain admin credentials to any computer on the network.    

  • Kerberos Silver Ticket- It's also a type of pass-the-ticket attack, but it provides you a TGS ticket (that's generally not checked by the Microsoft after it's issued) which helps the user to login to any services available on the network. 

  • Pass-the-Cache- It's almost the same as a pass-the-ticket attack, but, it makes use of the saved as well as encrypted login data on a Mac/UNIX/Linux system. 

Protection against Mimikatz

Although it's quite challenging to protect your system against Mimikatz, but some methods can be applied to defend or mitigate the risks against Mimikatz:
  1. Admin privileges can be limited to only those users who actually needs them.
  2. Systems can also be upgraded to Windows 10 or 8.1 in order to mitigate the risks of an attacker using Mimikatz against you. 
  3. The Local Security Authority (LSA) can also be tightened to prevent any kind of code injection.
  4. Ensuring that each Windows system have their own unique passwords rather than a single administrative password across an enterprise. 
  5. Running LSASS in protected mode on Windows 8.1 or higher can make Mimikatz ineffective., etc...etc...









To know more about it, you can go through my detailed document by clicking here






Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)